Advertisement
Security

Critical Unauthenticated Access Flaw Found in Grafana OnCall

A critical vulnerability in Grafana OnCall allows unauthenticated remote attackers to gain full administrative access via hardcoded default identifiers.

··1 hour ago·1 min read
pink and white love you and love me print padlock
Photo by FlyD on Unsplash
Advertisement

Grafana OnCall versions up to 1.16.11 are affected by a critical vulnerability, tracked as CVE-2026-63087, which permits unauthenticated remote attackers to obtain a valid PluginAuthToken. By sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values found in the public source tree, an attacker can bypass authentication mechanisms.

Once a token is acquired, attackers can authenticate against all internal API endpoints. This access allows for the creation of arbitrary Admin users, the revocation of legitimate tokens, and the redirection of API traffic to attacker-controlled hosts by overwriting organization configurations. With a CVSS score of 9.8, this vulnerability poses a significant security risk to affected systems.

#vulnerability#grafana#cve-2026-63087#authentication-bypass

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement